<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <meta name="keywords" content="异新U 异新u Linux,Windows服务器维护;网站开发;LAMP服务器维护,湖南服务器维护网,专业linux服务器维护,centos redhat ubuntu windows服务器维护,湖南IT外包公司,服务项目" />
<meta name="description" content="异新U 异新u面向中小企业和个人提供专业IT外包服务，包括服务器、工作站软件维护、硬件检测服务。windows，linux,centos系统包年维护。湖南服务器维护网。,湖南服务器维护网-湖南地区专业的linux服务器维护商" />
<!--作者：向露  Email:158026647597@139.com  QQ:316686606-->
    <link rel="stylesheet" type="text/css" href="http://www.yixinu.com/skis/templates/include/newCascadeStyleSheet.css" />
    <script type="text/javascript" src="http://www.yixinu.com/skis/templates/include/newjavascript.js"></script>
    <script type="text/javascript" src="http://code.jquery.com/jquery-1.4.2.min.js"></script>
<title>专业服务器维护 网站建设 Linux服务器维护 企业局域网建设 企业级邮件系统建设 异新U 湖南地区</title>
</head>
<body>
    <div class="h20 top1"></div>
    <div class="header1" id="header1" >
        <div class="logo1"><a href="#"><img src="http://www.yixinu.com/skis/templates/include/yxu-logo.png" /></a></div>
        <div class="channel1 h40" id="channel1">
            <ul class="channel2">
                <li><a href="http://www.yixinu.com/">首页</a></li>
                                <li><a id="19"  href="/content/19.html">服务项目</a></li>
                                <li><a id="23"  href="/channel/23.html">技术文档</a></li>
                                <li><a id="32"  href="/channel/32.html">wiki</a></li>
                                <li><a id="30"  href="/content/30.html">关于我们</a></li>
                            </ul>
        </div>
    </div>
    <div class="h10"></div>
    <div class="h140"><div class="w990 content_sty1">Our Servers</div></div>
    <div class="h10"></div>
<div class="content2" id="content2">
    <div class="w70"><p><font class="myfont2">用SHELL脚本来防SSH和vsftpd暴力破解</font></p><br /><div class="h110"></div><br /><p style="text-indent:2em;text-align:left;">【51CTO专稿】新近刚上的FTP备份服务器，例行检查/var/log/secure日志时，发现不少sshd和vsftpd失败认证信息，很明显有人想用暴力破解工具窃取密码，所以需要编写一个安全脚本防止。</p><p style="text-indent:2em;text-align:left;">脚本需求如下：此SHELL脚本放在crontab计划任务里，每隔6小时（此时间根据实际情况来定义）就去读取/var/log/secure脚本，取出里面恶意猜测IP，如果单位时间内（一星期）的连接数是高于一个阀值，例如100（此阀值也可以根据实际情况来定义），则将其加进/etc/hosts.deny黑名单里，如果低于此阀值，则无视此IP。 </p><p style="text-indent:2em;text-align:left;">/var/log/secure里认证失败信息如下：</p><pre>Nov 28 10:18:08 centos2 sshd[7556]: Connection closed by 222.216.30.109
Nov 28 10:18:08 centos2 sshd[7557]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.216.30.109  user=root
Nov 28 10:18:09 centos2 sshd[7559]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=222.216.30.109  user=root
Nov 28 10:18:10 centos2 sshd[7551]: Failed password for root from 222.216.30.109 port 2391 ssh2
Nov 28 10:18:10 centos2 sshd[7552]: Connection closed by 222.216.30.109
Nov 28 10:18:10 centos2 sshd[7553]: Failed password for root from 222.216.30.109 port 2397 ssh2
Nov 28 10:18:10 centos2 sshd[7554]: Connection closed by 222.216.30.109
Nov 28 10:18:11 centos2 sshd[7557]: Failed password for root from 222.216.30.109 port 2401 ssh2
Nov 28 10:18:11 centos2 sshd[7558]: Connection closed by 222.216.30.109
Nov 28 10:18:11 centos2 sshd[7559]: Failed password for root from 222.216.30.109 port 2403 ssh2
Nov 28 10:18:11 centos2 sshd[7560]: Connection closed by 222.216.30.109
Nov 28 10:37:01 centos2 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Nov 28 10:37:01 centos2 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=hello rhost=centos1.cn7788.com
Nov 28 10:37:01 centos2 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user hello
Nov 28 10:37:19 centos2 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Nov 28 10:37:19 centos2 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=yhc rhost=centos1.cn7788.com
Nov 28 10:37:19 centos2 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user yhc
Nov 28 10:37:36 centos2 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Nov 28 10:37:36 centos2 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=yuhongchun rhost=centos1.cn7788.com
Nov 28 10:37:36 centos2 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user yuhongchun
Nov 28 10:42:44 centos2 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Nov 28 10:42:44 centos2 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=yuhongchun rhost=114.112.169.70
Nov 28 10:42:44 centos2 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user yuhongchun
Nov 28 10:42:56 centos2 vsftpd: pam_unix(vsftpd:auth): check pass; user unknown
Nov 28 10:42:56 centos2 vsftpd: pam_unix(vsftpd:auth): authentication failure; logname= uid=0 euid=0 tty=ftp ruser=andrewyu rhost=114.112.169.70
Nov 28 10:42:56 centos2 vsftpd: pam_succeed_if(vsftpd:auth): error retrieving information about user andrewyu</pre><p style="text-indent:2em;text-align:left;">我们观察下/var/log/secure文件轮询特征，如下所示：</p><pre>[root@centos2 log]# ls -lsart secure.*
512 -rw------- 1 root root 516379 11-04 01:31 secure.4
660 -rw------- 1 root root 668192 11-11 00:05 secure.3
304 -rw------- 1 root root 306589 11-17 10:33 secure.2
484 -rw------- 1 root root 488620 11-25 02:33 secure.1</pre><p style="text-indent:2em;text-align:left;">基本上，secure文件是以星期为轮询周期的，如果对安全要求严格的朋友还可以本着“一个不放过”的原则来抓取上面的旧secure的恶意IP，下面我们就们就要想办法高效的来抓取这些恶意IP，如果参考<a href="http://andrewyu.blog.51cto.com/1604432/662500">原始版本</a>的SHELL脚本写法，，我们这里要抓取secure日志中的侦测vsftpd及sshd服务的IP地址，我们可以用如下命令，命令如下所示：</p><pre>cat /var/log/secure | awk '/Failed/{print $(NF-3)}'| sort| uniq -c| awk '{print $2"="$1;}'</pre><p style="text-indent:2em;text-align:left;">很明显，这样是取不到vsftpd失败的IP值的，sshd日志失败信息跟vsftpd日志失败信息不一样，我写了几种awk混合sed的方法，测试了效率，感觉用awk脚本速度是最快的，大家也可以写几种，用time命令测试下；最后精简了下代码，完成了整个脚本，脚本内容如下所示：</p><pre>#!/bin/bash
#Denyhosts For vsftpd and sshd
#2012-12-28
awk '{for(i=1;i&lt;=NF;i++){if($i ~ /rhost/)print substr($i,7)}}' /var/log/secure  | sort | uniq  -c  &gt;/root/black.txt
DEFINE="100"
for i in `cat  /root/black.txt`
do
        IP=`echo $i |awk  '{print $1}'`
        NUM=`echo $i|awk  '{print $2}'`
        if [ $NUM -gt $DEFINE ];
        then
         grep $IP /etc/hosts.deny &gt; /dev/null
          if [ $? -gt 0 ];
          then
          echo "sshd:$IP" &gt;&gt;  /etc/hosts.deny
          echo "vsftpd:$IP" &gt;&gt; /etc/hosts.deny
          fi
        fi
done</pre><p style="text-indent:2em;text-align:left;">脚本运行一段时间后，我们可以观察此脚本涉及到的一些文件，如/root/black.txt，结果如下所示：</p><pre>[root@centos2 ~]# cat /root/black.txt
      2 113.17.144.156
      4 114.112.51.208
      4 114.112.69.170
    169 118-163-227-50.hinet-ip.hinet.net
      8 119.188.7.200
      8 122.70.130.11
     61 124.248.32.246
     12 183.203.14.121
      3 189.26.255.11
     56 199.204.237.60
      3 199.30.53.220
      5 201.236.80.4
      6 220.172.191.31
     30 222.216.30.109
     60 222.253.159.111
     58 223.4.180.23
    166 58.221.42.178
      1 61.132.4.85
    152 61.142.106.34
     22 61.167.33.222
      7 85.126.166.83
    166 www.b-nets.com</pre><p style="text-indent:2em;text-align:left;">/etc/hosts.deny脚本内容如下：</p><pre>sshd:124.248.32.246
vsftpd:124.248.32.246
sshd:199.204.237.60
vsftpd:199.204.237.60
sshd:222.253.159.111
vsftpd:222.253.159.111
sshd:223.4.180.23
vsftpd:223.4.180.23
sshd:58.221.42.178
vsftpd:58.221.42.178
sshd:61.142.106.34
vsftpd:61.142.106.34
sshd:118-163-227-50.hinet-ip.hinet.net
vsftpd:118-163-227-50.hinet-ip.hinet.net
sshd:www.b-nets.com
vsftpd:www.b-nets.com</pre><p style="text-indent:2em;text-align:left;">最后，我们将此shell脚本放进crontab 里，每间隔六小时就运行一次，命令如下：</p><pre>* */6 * * * root /bin/bash /root/hostsdeny.sh &gt;&gt; /dev/null 2&gt;&amp;1</pre><p style="text-indent:2em;text-align:left;">由于/var/log/secure日志是以星期为轮询的，此脚本执行频率可自行设定，如果感觉服务器被频繁侦测，执行频率间隔可设置短些，反之，可设置长些。</p><p><br /></p><p><br /></p><p><span style="font-size:14px;color:#7F7F7F;">来源:http://os.51cto.com/art/201211/368438.htm</span><br /></p></div>
    <div class="w28">
    <div class="w100">
    <div class="channel_title1"><div class="channel_title1_b2"><img src="http://www.yixinu.com/skis/templates/include/yxu-ico.png" /></div><div class="channel_title1_b1">最近文档</div></div>
    <div class="channel4">
        <ul>
                        <li><a href="/readarticle/23/artid/23.html" title="三层网络结构">三层网络结构</a></li>
                        <li><a href="/readarticle/23/artid/22.html" title="网络虚拟化以不变应万变，应对企业园区网新挑战">网络虚拟化以不变应万变，...</a></li>
                        <li><a href="/readarticle/32/artid/21.html" title="25个必须记住的SSH命令，你用过了吗？">25个必须记住的SSH命...</a></li>
                        <li><a href="/readarticle/32/artid/20.html" title="为何用/usr/bin/env">为何用/usr/bin/env</a></li>
                        <li><a href="/readarticle/23/artid/19.html" title="数据中心发展史：1960年到2010年">数据中心发展史：1960...</a></li>
                        <li><a href="/readarticle/23/artid/18.html" title="浅谈开源世界的未来">浅谈开源世界的未来</a></li>
                        <li><a href="/readarticle/23/artid/17.html" title="从网购到火车票，浅析淘宝和12306的技术架构">从网购到火车票，浅析淘宝...</a></li>
                        <li><a href="/readarticle/23/artid/16.html" title="一个程序员对职业生涯的思考">一个程序员对职业生涯的思考</a></li>
                        <li><a href="/readarticle/23/artid/15.html" title="MySQL创立者：云计算必须建立在开源之上">MySQL创立者：云计算...</a></li>
                        <li><a href="/readarticle/23/artid/14.html" title="WordPress如何管理94个国家的员工？">WordPress如何管...</a></li>
                    </ul>
    </div>
</div>        <div class="w100">
    <div class="h40 w100"></div>
    <div class="channel_title1"><div class="channel_title1_b2"><img src="http://www.yixinu.com/skis/templates/include/yxu-ico.png" /></div><div class="channel_title1_b1">联系我们</div></div>
    <div class="channel4">
        <ul>
            <li>异新U : <a  class="myfont1" href="http://www.yixinu.com">www.yixinu.com</a></li><li>联系电话 : <font class="myfont1">15802647597</font></li><li>联系电话 : <font class="myfont1">18684694187</font></li><li>QQ : 316686606</li><li>邮箱 : <font class="myfont1">15802647597@139.com</font></li>
        </ul>
    </div>
</div>    </div>
</div>
    <!--footer-->
    <div class="footer2"></div>
    <div class="footer" id="footer">
        <div class="footer4 w100"></div>
        <div class="h40 w990 footer3">友情链接</div>
        <div class="footer_channel">
            <LI><A target="_blank" href="http://tech.sina.com.cn/">新浪科技</A></LI>
            <LI><A target="_blank" href="http://tech.qq.com/">腾讯科技</A></LI>
            <LI><A target="_blank" href="http://tech.163.com/"><FONT color=#ff1111>网易科技</FONT></A></LI>
            <li><a target="_blank" href="http://www.51cto.com/">51cto</a></li>
            <li><a target="_blank" href="http://www.chinaunix.net/">unix技术网</a></li>
            <LI><A target="_blank" href="http://tech.ifeng.com/">凤凰科技</A></LI>
            <LI><A target="_blank" href="http://www.ciweekly.com/">互联网周刊</A></LI>
            <LI><A target="_blank" href="http://www.mydrivers.com/">驱动之家</A></LI>
            <LI><A target="_blank" href="http://www.iresearch.cn/">艾瑞网</A></LI>
            <LI><A target="_blank" href="http://www.chinaz.com/">站长之家</A></LI>
            <LI><A target="_blank" href="http://bbs.yhcgo.com/">皇朝软件</A></LI>
            <LI><A target="_blank" href="http://www.cnmo.com/">手机中国</A></LI>
            <LI><A target="_blank" href="http://www.hiapk.com/">安卓网</A></LI>
            <LI><A target="_blank" href="http://www.cet.com.cn/">中国经济新闻网 </A></LI>
            <LI><A target="_blank" href="http://www.kejixun.com/">科技讯</A></LI>
        </div>
        
        <script type="text/javascript">setwidth();var var1=new Array('23','31');</script>
        <script type="text/javascript" src="http://www.yixinu.com/skis/templates/include/newjavascript1.js"></script>
<script src="http://s19.cnzz.com/stat.php?id=4871335&web_id=4871335&show=pic" language="JavaScript"></script>
    </div>
</body>
</html>